Exploiting Design Flaws Active Intrusion Prevention
Transcript of Exploiting Design Flaws Active Intrusion Prevention
Exploiting Design Flaws
for
Active Intrusion Prevention
They’re Coming for Your Tools!
Speaker Background
John Ventura
Part of Optiv’s Research Practice
Former ISS X-Force Penetration Tester
Malware Researcher
What Are We Doing?
We are targeting design flaws in common attack tools and methodologies for intrusion prevention, because:
• Attackers often use popular software and attack techniques
• These software packages and techniques exhibit vulnerabilities
• We can safely go much further than current IDS/IPS solutions with little cost
Hey, Blue and Red Teams!
• You can exploit design flaws for intrusion prevention!
• (Proactive responses are possible!)
• Your attack tools are an attack surface!
• (Steal other people’s shells!)
What Are We Doing?
Strategies demonstrated today:
• MiTM against insecure command and control• Meterpreter
• Powershell Empire
• Much much more…
• Countermeasures against brute-force password recovery• NBNS/LLMNR Spoofing
• WPA2 PSK Recovery
How We Are Doing It:
• We have POCs!
• All Salad Project POCs together take less than 200K of memory
Targeting Command and
Control Staging
• Mass-market C2 is really difficult
• MiTM attacks against Command and Control Channels are possible
Configuration File for
Meterpreter MiTM
Meterpreter MiTM
(What We See)
Meterpreter MiTM
(What THEY See)
Targeting C2 Staging
• Powershell Empire staging is also vulnerable
• Version 1.6 uses XOR for payload “encryption”
• Version 2.0 uses RC4 with known plaintext
• Both are vulnerable
How Empire Works
Powershell Empire MiTM
Summarized
Step 1) Intercept an instance of staging• The part that happens after
“powershell.exe -NoP -sta -NonI -W Hidden -EncWwBTAHkAUwB0AEUATQAuAE4ARQB0AC4AUwBlAFIAVgBpAGMARQ…”
Step 2) Repackage the payload• XOR key recovery with frequency analysis for 1.6
- Limited key space and hints about plaintext help us!
• XOR RC4 cipher stream with known python plaintext for 2.0- Keystream⊕ Known Python Script = Original Payload
- Known Python Script ⊕ Original Payload = Keystream
- Keystream⊕ OUR SCRIPT = New Payload
Step 3) MiTM
What We See
What The Attacker Sees
DoublePulsar/Fuzzbunch
Countercept has informative content:
• https://github.com/countercept/doublepulsar-detection-script/
• Just detect it, and point the client at it
Cobalt Strike
• Multiple staging options
• Data integrity checks
• https://blog.cobaltstrike.com/2016/06/22/talk-to-your-children-about-payload-staging/
Disrupting Password Cracking
Inserting bogus hashes makes real ones harder to find and crack
Targeting LLMNR/NBNS Attacks
• LLMNR/NBNS based MiTM attacks are very common and very effective
• Laurent Gaffie’s “Responder” is really effective
• Attackers announce their presence on the network
• Detection and disruption are possible
Targeting LLMNR/NBNS Attacks
Targeting LLMNR/NBNS Attacks
Targeting LLMNR/NBNS Attacks
Targeting WPA2 PSK Attacks
• Attackers who want to recover WPA2 passwords must sniff handshakes between APs and hosts
• The generation of fake handshakes compromises password cracking efforts
Targeting WPA2 PSK Attacks
WPA2 PSK Spoofing
(What Defenders See)
WPA2 PSK Spoofing
(What Attackers See)
The Future
• Integration with- OpenWRT
- Existing IDS/IPS systems
- Proxies
• Target ANY tool that otherwise works
Thanks!
• GitHub for The Seek Locate Destroy Toolkit
https://github.com/johnventura/The-Salad-Project
• Twitter@JohnAVentura